Pierluigi Paganini September 26, 2017

Oracle fixed several issues in the Apache Struts 2 framework including the flaw CVE-2017-9805 that has been exploited in the wild for the past few weeks.

Oracle has released patches for vulnerabilities affecting many of its products, the IT giant has fixed several issues in the Apache Struts 2 framework, including the flaw CVE-2017-9805 that has been exploited in the wild for the past few weeks.

The vulnerability tracked as CVE-2017-9805 is related to the way Struts deserializes untrusted data, it affects all versions of Apache Struts since 2008, from Struts 2.5 to Struts 2.5.12.

The experts warn that the Struts REST communication plugin fails to handle XML payloads while deserializing them, all web applications using this plugin are vulnerable to remote attacks.

The company Lgtm, who discovered the CVE-2017-9805 vulnerability, warned that at least 65 percent of Fortune 100 companies use Struts and they could all be exposed to remote attacks due to this vulnerability.

The Apache Struts development team acknowledge the vulnerability and published a patch.

An exploit and a Metasploit module to trigger the CVE-2017-9805 vulnerability were created released shortly after its disclosure.

Researchers from Cisco Talos and NVISO Labs spotted attacks aimed to find vulnerable servers leveraging a Russian website used to send the requests and collect the results.

The Oracle Security Alert Advisory – CVE-2017-9805 includes the list of affected products and versions.

“Recently, the Apache Foundation released fixes for a number of additional Apache Struts 2 vulnerabilities, including CVE-2017-9805, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611. Oracle just published Security Alert CVE-2017-9805 in order to distribute these fixes to our customers. Please refer to the Security Alert advisory for the technical details of these bugs as well as the CVSS Base Score information.” Eric Maurice, director of security assurance at Oracle, wrote in a blog post.

Oracle highlighted that the Apache Struts CVE-2017-5638 vulnerability exploited in the Equifax hack was patched in April 2017 by the Critical Patch Update (CPU).

The list of vulnerable products includes Oracle’s MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and several Financial Services and Insurance products.

Oracle also released security updates that address several other Struts vulnerabilities, including CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611.

“Oracle strongly recommends that customers apply the fixes contained in this Security Alert as soon as possible,” continues Maurice.

The US-CERT also published a security advisory related the Oracle patches for Apache vulnerabilities and urges users to apply the necessary updates.

“Oracle has released security updates to address Apache Struts 2 vulnerabilities found across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.” reads the security advisory.

“US-CERT encourages users and administrators to review the Oracle Security Alert(link is external) and apply the necessary updates.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Struts, CVE-2017-9805 RCE)

[adrotate banner=”12″]